Home / malwarePDF  

Ransom:Win32/Mambretor.A


First posted on 27 September 2016.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Mambretor.A.

Explanation :

Installation

When installed, this threat creates the following files:

  • C:\DC22\dcapi.dll
  • C:\DC22\dccon.exe
  • C:\DC22\dcinst.exe
  • C:\DC22\dcrypt.exe
  • C:\DC22\dcrypt.sys
  • C:\DC22\log_file.txt
  • C:\DC22\mount.exe
  • C:\DC22\netpass.exe
  • C:\DC22\netpass.txt
  • C:\DC22\netuse.txt


Payload

This threat attempts to encrypt local hard drives and accessible mapped network drives.

It creates a service named "DefragmentService" and adds a user named "mythbusters" with password "123456".

It then reboots the PC. At the next boot, the malicious service begins the encryption process, which may take several minutes.

If the infection is successful, the PC will display the following message at the next reboot:



Analysis by Andrea Lelli

Last update 27 September 2016

 

TOP

Malware :

Family: